REC D 1 4 OCT 2003 



VI 107S029 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 



October 06, 2003 

THIS IS TO CERTIFY THAT ANNEXED HERETO IS A TRUE COPY FROM 
THE RECORDS OF THE UNITED STATES PATENT AND TRADEMARK 
OFFICE OF THOSE PAPERS OF THE BELOW IDENTIFIED PATENT 
APPLICATION THAT MET THE REQUIREMENTS TO BE GRANTED A 
FILING DATE. 



APPLICATION NUMBER: 60/409,425 
FILING DATE: September 10, 2002 

RELATED PCT APPLICATION NUMBER: PCT/US03/28149 




By Authority of the 

COMMISSIONER OF PATENTS AND TRADEMARKS 



M. TARVER 
Certifying Officer 



PRIOWTY 
DOCUMENT 

• SUBMnTEDORTRANSMnTEDIN 
•■GOMPLIANGE WTH RULE-l71(a>OR Cb) 




I -J 



DATE OF DEPOSIT: 9/10/02 



Please lype a pbis (♦) cnsttte ihis box - 




PROVISIONAL APPUCATION FOR PATENT rnueo ftuccr 

This .s a l^quest^r n,,n, a P^O^'^tOr^j:i.SSSr.^^^^^ 



Given Name (first and middle Df anvl) 



Joseph Samuel 



EL 80383468 5US 
INVENTOR(S> 



s 



FamBy Name or Surname 



Blevinsy Sr. 



□ AddHhnaf inventors are bemg named on the 
iOT STANDBY METHOD AND APPARATUS 



Residence 
(Crty and eith er State or Foreign CountrY) 



Export Pennsylvania 



Direct all conespondenceto: 



[✓] CustomerNumber (o03705 

OR ^ ^ 

Type CustomerNumberhera 



CORRESPONDENCE ADDRESS 

I — - 



Firmer 
Individual Name 



«ace CustomerNumber 
Bar Coda Label h&B 



Address 



City 



Kirk D. Houser 



Eckcrt Scamans Cherin & Mellott. LLC 



600 Grant Street, 44th Floor 



Pittsbmgh 



State I PA 



|TA»« phone 1412.566:6083 | 
ENCLOSEDAPWJCATOMPAD TS/irfleefr^^ 

9S I I 



ZIP 



15219 



412.566.6099 



I 25 I 



1 



|~ CD(8), Number 
I I Other(specify) 



U/J Specification Numberof Pages 
Drawlng(s) Numberof Sheets 
Application Data Sheet See 37 CFR 1.76 

m^odofpaym^ntoffilingfees forthisprovisionalappucationfor"^ ^ 

LJ Applicant claims smaU entity status. See 37 CFR 1.27. " ~ 

LJ A check or money order is enclosed to cover the filing fees 
KI hereby aulhorizedto charge filing 

I L_J ^osorcredltanyoverpaymenttoDepositAccounlNumben 

LJ Payment by credit card. Fonn FTO2038 is attached. 



02-2556 



FILING FEE 
AMOUNT fSI 



S160.00 



I 0 No 

a Yes. the name of Iho U S Govcnuncnl agency and the Government contract number are 



Respectfultysub 
SIGNATURE^ 



TYPED or PRINTED NAME Kirf^P> Houser 
TELEPHONE 4^2-^66-6083 



Date I 9 / 10/ 02| 

REGISTRATION NO. 
fifa/qoropf/afe; 
Docket Numben 



37,357 



'nuiMt= I 283 359-00360 

USE ONLY FOR FILING A PROVISIONAL APPLICATION FOR PATENT 




283359-00360 ^^^a«SH-\ctS. . OiJ J.OOeS 

HOT STANDBY METHOD AND APPARATUS 
1.0 INTRODUCTION • 

1.2 OVERVIEW 

to the Non-Vital M^Sork^triJ*^' ' ^'"^ communicate: serial communication 

Inpm ^rOuSt B^mI Nonnal/Standby pair, and Vital 

i^T »° Non-Vital Microlok I bi de J£n 

iion-vuai a oreakdown u this communication will have no safetv concerns Th/c»,:,i 
commumcation between the Normal/Standby pair utiliz^ a^^TO hT!w f ^f*^' 

-V^ OR Gate^rStS^^ *° ti™^'). or through some type of 

Additional mformation on the outputs is provided to sectio^'^l.S J^^JS 

mn,H TK addresses the hot Standby issue With the above in 

mmd. TTiere is no attempt to actively synchronize aU bits at aU times and tf.«e 

SS^^ ■^•oprovKte a hardware backup for the Konml. the Nom»l urf. b 

f ° two units the Nomal uiut wUl 
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unit senses an internal failure and tak^ itself ofOine. Also", if either unit is reset, all of its 
outputs are suppressed until they are verified to be in synchronization with the unit 
currently online. 

1.3 IMPUMENTATION 

Since each unit is wired and programmed virtually identical as it would be if it 
were a stand-alone unit this system is very easy to implemCTit. The only modifications 
needed to produce the hot standby feature are slight modifications in the hardware and 
application program. 

1.3.1 HARDWARE 



1.3.1.1 Inputs 

Assuming both Microloks are housed on the same rack, all inputs are single runs 
to the rack (most likely to a weidmuller). The inputs are then fed in parallel to each unit. 

1.3.1.2 Outputs 

Wifli both units actively producing o:iitputs at all times, the outputs need only be 
"ORed" together through a pair, or a series, of diodes (the series of diodes may be needed 
to meet reliability specifications - see figure I). 



NormaX 
Mlcrolok 



St;anclby 
Mlcrolok 



Normal 
Micjcolok 



St:andby 
Mlcrolok 



Basic Configuration 



Improved Reliability Configuration 



Figure 1: Diode Configurations 

However, diodes cannot be used if the customer requires that the outputs of the 
Standby unit be suppressed if the Normal unit is online. The reason for this is that 
although Microlok can reliably detect a shorted diode when both units are active, it 
cannot reliably detect a shorted diode on the Nomial unit if the Standby unit is not 
producing ou^uts (see ScraariosS and 9 in section IA33 Diode Faults Induced). If the 
Standby's outputs are suppressed the outputs must be "ORed" through some type of 
"Vital OR Gate** which will not allow the possibility of shorting. Union Switch & 
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ft O H O in ftfic* S » O «a J. O Oic! 



smaller and less expensive ^ *^ necessary protection and be 

1.3.1.3 Seried Communication 

either t^^ot'St^llfoneT^^ ™« ^till leaves 

vital or non-vital) for liX to otlS- m^JT. T ''^ "P ^ ^i*^' 

only one conmuiiSn^ort o^Scr^^^^^ S ^"^Pl^'"^'^* system using 

application program ^Sl^t ^^^i ^ V'°''^^ "^"^ ^ »° 

1 .3.1 .4 VCOR Verification 
aWcltro?th™Sv^^^^ 

Input Board. '^^'^ connected to an input of one of its Vital 

1.3.1.5 Nomial Unit Bit 

have one^ufL'TSlSdSlSSn"^^^^ '^^^ ^^^^ 

Normal unit than it d;,es foX sS^d^^t characteristics for the 

1.3.t APPUCATION PROGRAM 

standbyl^^ U^^Tsrirg^^^ ^ ^ changed to a hot 

be one of\L?h^,^ ^^^^ ^^^uZ T "^^^"^ modifying all output bits to 

must be modifi^« if ftey we" ^^u^'^ ""'"^ *^ bits 

Logic Systems 
Synchronization 

unit is ^^S^L'r^d fte o^^ If"* ^""^ P"^"''^"^ outputs if the other 

synchronization hTs n^S!^^* T 0«ce the unit achieves 

^zed S^Ae ^ul^Sfi^S^^^^^ r^"^ Synchronization system is not 

iunctiona, in boft^Sll N^L^dl^X '"^ ""^ ™^ ^"^"^ 
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The Synduonization Systran employs tiie following bits: 

fJ^ni^t^TKM^i:?^^ V P"^«*« « 1 delay 

for the unit to stabilize before the other umt'S VCOR is referenced. 

.STANp ALONE..Srt^^C sets the SYNC bit if STAND. ALONE.SYNC DELAY ts 
set and the other unif s VCOR is down. ^-^^^ i is 

SYNCWATT is a slow set bit which forces the unit coming online to wait until 
senal commnmcahon is stabilized before attempting to synchronize. 

SfNQ is the controlling bit. When the unit coming online is synchronized with 
the umtcunrenUy online the SYNC bit is set. «»wHn 



Health 

The HraWi system is verified by the constant exchange of a HEALTH bit over the 
senal commumwtion line. When flie Normal unit's VCOR is picked, the HEALTH bit is 
required for the Standby unit to stay online. Without the HEALTH bit verifytag ftat 
senal commumcation is stable, the Standby unit is reset. This insures that if 
coimnmucation is lost, one unit is taken ofQine (the Standby). Though this system is 
m'^mi^H^' W^^?^^^^ ^'^^"^ tSNo^^^SSt'also 

u^ttc^^I^^^ *° ^'''^'''^ ''^^°^> Standby 

The HEALTH system employs the following bits: 

• mALTH.WATT DF.T .A Y is a slow clear bit that is set when the other unit's 
^VTHSi? comniunication is not yet established. Its function is to 
set HEALTH.WAIT and maintain it unHl either SL.IN.HEALTH is received or 
time expires. 

• HEALTH.WATT is a slow set bit that sets 1 second aftw 

HE ALTH.W^T DELAY. It clears when SL.IN.HEALTH is received or time 
expu^s and HEALTH.WAIT.DELAY clears. 

• $L.OlJT.|iEAT.TH is the serial bit that the unit sends the other unit. 

• SI/.IN,HBALTH is the serial bit that the unit receives in from the other unit. 
Reset 

reset wh^^'tLTLTl^ protects Ae pair's vital functions by forcing the Standby unit to 
reset when ttiere is a disagreement between the units. This system is always active in the 
Standby urat if the Normal unit's VCOR is picked. 
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The RESET system employs the following bits: 

• SYS.RESET is a slow set bit that is only operational in the Standby unit. When 
the bit sets» the unit resets. 

• SL,OTJT.RESET is sent from the Nomial unit to the Standby unit when the 
Normal determines there is a disagreement and wants tibe Standby to reset. 

• SL.INJRESET is the bit the Standby unit receives when the Normal unit sends 
SL.OUT.RESET. 

• GR01JP.XX.RESET type bits are groups of individual reset bits that are used to 
simplify the SYS.RESET assign statement and eliminates the need for timers on 
all individual reset bits. 

Bit Types 

There are three types of bits: Unrestricted. Half Restricted, and Restricted. All 
three of these types must be utilized to insure that the hot standby operates safely but 
does not waste system resources on unnec^sary tasks. 

These three types of bits have the following in conunon: 

• If the other imit's VCOR is down the unit will produce the output whenever the 
assign statement is satisfied. 

• If the other unit's VCOR is up the unit must also receive serial communication. 

• Unrestricted bits require a generic health bit. 

• Half-Restricted bits require a bit verification from Normal to Standby. 

• Restricted bits require bit verification to and from both units. 

• If the other unit is in control^ the unit being brought online cannot produce any 
outputs until it is in SYNC. 

• If both units are online and any bit states disagree for a selected period of time 
either the Normal unit will reset the Standby or the Standby will reset itself 

• With minor modifications the Standby unit's outputs can be suppressed when the 
Normal unit's VCOR is picked. 
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- 

Unrestricted 

These bits require no bit specific serial commmucation between the units in order t« 
Half Restricted 

These bits are unrestricted in flie Normal unit, but restricted in the Standbv The «3tanHK^ 
Z output until it receives verification (4 s^T^^^^J^^nf ^ 

that the Normal umt has also satisfied the assien statement Thie f,»,» '^™™"™caaon; 

Restricted 

Th^e bite are restricted in both the Normal and the Standby units Neither unit can 
pioduoe the output untU it receives verification (via serial c^lSS ^ Smother 

amount of senal commumcation mvolved. It is specificaUy designed for Locks 17.1 hit 



1. 



2. 



llri^^fiT''''°™^t.^*°"* of external Lock relays the internal 

vanables wUl requure this configuration. luwraai 

iL?fi.^°"' -n communication the 

verification will need to be passed via Vital Input ami Output BoaiSs 



1.4 TEST PLAN 



1.4.1 BACKGROUND 



SuDDlv Thf ^ shared the same Power 

tt?NSi.S (Smo'r^rr^A^^ accomplished with a caWe from 
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1.4.2 BASEUNE INFORMATION 

1.4.2.1 Software 

Both units were uploaded vyifh the following application program: 

File Name: MLK_TEST_2.0.doc 
AppUcation Image CRC: e6c7 
Application Image Checksum: f78b 

1.4.2.JL Reference Pointe 

The following references were used for testing purposes: 

• " VCOR picked" was reforaiced from the lighting of flie VCOR indication on the 
Power Supply Board. 

• Serial communication was referenced fifom the COM indications f A. B CD and 
E)ontheCPUBoanL v » . . 

• Outputs were referenced from the mdications on the Vital Output BoaixL 

• For the purpose of testing, the following reference bits were not considered to be 
outputs: 

OUT 7 - SYNC. WAIT 
OTJT8-SYNC 

OUT 9 - HEALTH. WAIT.DELAY 
OUT 10 - HEALTH. WAIT 
OUT 12 - SL.OUT.04 
OUT 13 - SL.IN.04 
OUT 14 - OUT.RESET 
OUT 15 - INJRESET 
OUT 16 -COM ALT 
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1.4.3 TESTS 



1.4.3.1 No Faults Induced 



Scenario 1 


Unit RESET while the other is offline (CPU pulled) 


Purpose 


To verify that each unit can operate as a Stand-alone unit. 


Attempts 


5 (each umt) 


Result 


Unit came online and produced outputs: 

• Time fiom RESET to picking of VCOR = 14 sec, 

• Time from RESET to outputs =15 sec. 

• Time from RESET to attempted serial communication = 25 sec. 


Coixunent 


• The times were the same for both the Normal and Standby imits. 




Scenario 2 


Unit RESET while the other unit is online, communicating, and 
producing outputs 


Pucpose 


To verify that each umt can be brought online without any intOTuption 
of controlling unit. 


Attempts 


5 (each umt) 


Result 


Unit came online and produced outputs: 

• Time from RESET to picking of VCOR ^14 sec, 

• Time from RESET to serial communication 25 sec. 

• Time from RESET to outputs = 30 sec. 


Comment 


• The times were the same for both the Normal and Standby units. 

• No change in outputs occurred in the other unit. 




Scenario 3 


Power up both units simultaneously 


Purpose 


To verify that there is no circular logic which would prevent the units 
irom coming online simultaneously. 


Attempts 


5 


Result 


Both umts powered up and produced outputs: 

• Time fiom power to picking of VCOR « 1 8 sec. 

• Time from power to serial communication — 29 sec. 

• Time fit>m power to both unifs outputs = 35 sec. 


Comment 


• This functioned as expected. 

* No interruptipn of outputs occxirred in cither unit. 
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1.4.3.2 Faults Induced 



Scenario 4 


• Both umts online 

• Remove IN.02 bit from the Standby imit 


Purpose 


To prove that the Nomial unit will RESET Ihe Standby unit if there is a 
disagreement in bit states, and that there is no danger in allowing the 
Standby unit to attempt to come back online after it is RESET- 


Att^pts 


• 1 disconnect of input 

• Standby mut RESET 34 times 

• 20 minutes time 


Result 


Standby unit RESET and continued to cycle: 

• Time from removal of input to first RESET = 1 0 sec. 

• Time from removal of input to first VCOR pick = 23 sec. 

• Time from removal of ii^ut to first establishment of serial 
communication with Normal unit » 3S sec. 

• Time from removal of input to second RESET = 38 sec. 


Comment 


• Standby unit continued to cycle, resetting every 15 seconds after 
the VCOR picked. 

• The Standby unit never produced any outputs 

• The Normal unit's outputs were never interrupted. 

• After approximately 30 minutes IN.02 was restored to Standby imit 
and after the completion of its curr^t reset» it came back online 
and produced outputs. 




Scenario S 


• Both units online 

• Remove IN.02 bit from the Standby unit 

• Reset Normal unit 

• Wait 1 minute 30 seconds 

• Restore IN.02 bit to the Standby unit 


Puxpose 


To prove that synchronization is required for the Nomial to come 
online if the Standby is in control and that the Normal unit cannot 
RESET the Standby as the Normal unit comes online. 


Attempts 


5 - - 


Result 


Normal umt did not produce ou^uts until after IN,02 was restored to 
the Standby unit; 

• Time from RESET to VCOR pick = 14 sec. 

• Time from RESET to serial communication « 25 sec. 

• Time from RESET to IN.02 restored to Standby = 1 min, 30 sec. 

• Time from RESET to outputs =^ 1 min. 30 sec. 


Comment 


• The Standby unit's outputs were never interrupted. 
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Scenario 6 


• Both units online — = ' 

• RESET unit while IN.02 and IN.04 are constantly toggled 
(approximately 4 times a second) 


Finpose 

Attempts 
Result 


1 o prove that ilaslung bits or several bits changing state wUl not hinder 
the umt from synchzonizmg and coming online. 

5 (each unit) — 

• Both umts came online in the usual tunefrmnR 


Comment 
Scenario 7 


• The controlling unit's outputs were never intemipted 

• Bofli units online ' " — 

• Bits OUT.02 and OUT.04 set, and bit OUT.03 clear 

• RESET unit 

• Wait 5 seconds 

^ xvBOXL 1 fJUicT unit 


Puipose 
Attempts 


To prove that either umt will produce outputs immediately if the othw " 
umt's VCOR is down. 

5 (each unit) ' ~~ 


Result 


• The unit RESET first came online and immediately produced 
outputs. 

• The um't RESET second had to synchronize before it produced 
outputs. *^ 


Comment 


• The controllmg umt's (the unit RESET first) outputs were never 
interrupted as the second unit came online 
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1.4.3.3 Diode Faults Induced 



Scenario 8 


• Both units online 

• Place a short across one output diode 


Purpose 


To prove that a shorted diode can be detected by Microlok 


Attempts 


• Twice on each diode of OUT.02, OUT.03 and OUT-04 with the 
outputs high. 

• Twice on each diode of OUT.02, OUT.03 and OUT.04 with the 
ou^uts low. 

• A total of 24 tests. 


Result 


• When the outputs were high, both units detected the short in 9-1 0 
seconds and RESET. 

• When the outputs were low the Normal unit detected the short 
within 1 second and RESET. 

• When the outputs were low the Standby imit did not detect the 
short. All outputs were shorted for at least 1 minute and one was 
allowed to remain shorted for over 8 minutes and the unit still 
failed to detect it. After the elapsed time, the output was toggled 
high and the short was detected within 10 seconds. 


Comment 


• The conclusion is that Microlok can consistently detect a shorted 
diode within 10 seconds if both outputs are high. 

• The unit without the shorted diode maintained its output without 
interruption. 

• Since some properties (possibly MARTA included) would require 
the Standby unifs outputs to be suppressed if the Normal unit's 
VCOR is picked, the question still remains if Microlok can detect a 
shorted diode if the outputs are not the same (both high or both 
low). See Scenario 9. 
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Scenario 9 


• Install modified program in both Microloks which suppresses fhe 
Standby's outputs if the Normal's VCOR Is picked. 

• Bring both units online (the Normal unit has outputs the Standby 
does not) 

• Place a short across one output diode 


Purpose 


To detemiine if shorted diode can be detected by Microiok if the 
outputs are not the same (both high or both low) 


Attempts 


• Twice on each diode of 0111.02, OUT.03 and OUT.04 

• Atotalof 12 tests. 


Result 


• When a diode of the Standby unit was shorted the Standby unit 
detected the short withm I second and RESET. 

• When a diode of the Normal unit was shorted the Normal imit did 
not detect the short. All outputs were shorted for at least I minute 
and one was allowed to remain shorted for over 8 minutes and the 
unit still failed to detect it After the elapsed time, the Normal unit 
was RESET and when it attempted to come back online (its outputs 
low and the Standby unit* s outputs high) it detected the short and 
continually RESET. 


Comment 


• The conclusion is that Microiok cannot detect a shorted diode when 
it is on the hig^ output and the other output is low. 

• If the Standby unit's outputs must be suppressed when the Normal 
units VCOR is picked then diodes are not a viable option. 



1.4.4 CONFIGURATION OF TEST UNITS 



NORMAL UNIT 


BOARD 


SLOT 


PART# 


SERIAL # 


REVISION 


CPU 


18 


N17003401 


1201028 


2 


Vital Input - 16 


13 


Nl 7001001 


0998048 


2 


Vital Output - 16 


15 


N170005O1 


0898006 


2 


Power Supply 


6 


N16600301 


1998022 


4 




STANDBY UNIT 


BOARD 


SLOT 


PART# 


SERIAL// 


REVISION 


CPU 


18 


Nl 700 1301 


3100010 


7 


Vital Input - 16 


13 


Nl 7001 001 


0998033 


2 


Vital Ou^ut - 16 


15 


N17000501 


0898005 


2 


Power Supply 


10 


N451810750 


2498001 


2 
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Appendix 1 - Sample Program 



"PROGRAM: HOT STANDBY TEST 

"LOCATION: OA LAB 

"UNIT: MICROLOKII 

" AUTHOR: JOSEPH S. BLEVINS 

"FILENAME: MLK TEST 2.0.doc 

"REV: 2.0 



it* 



REV HISTORY: 1 



Modified SYNC system. 

Created STAND.ALONE.SYNC.DELAY. and 

STAN0.ALONE.SYNC. 

Added STAND.ALONE.SYNC to the SYNC 

assign statement so it will set 1 second 

after the unit comes online if tiie other 

unit's VCOR is dovtm. 

Removed "+ (SLOUT.XX * -VCOR) firom all 
OUT.XX.SYNC assign statements. 



"VER: 0.00 

" APPLICATION IMAGE CRC: e6c7 
" APPLICATION IMAGE CHECKSUM: f78b 

"CHECKED BY: 
"TESTED BY: 
" INSERVICE BY: 



MICROLOKJI PROGRAM HOT STANDBY_MLK TEST_ZO; 
INTERFACE 
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LOCAL 



/**** VITAL OUTPUT BOARD 1 ****/ 



BOARD: 

TYPE: 
OUTPUT: 



V0_SL0T_J15 
ADJUSTABLE ENABLE: 1 
0UT16 



□Only OUT.02, OUT.H.03. and OUT.L04 simulate true outputs. The remaining bits ^ 
are only used to give an indication on Hie output board for testing puiposes. 



SPARE. 
SPARE 

OUT.HEALTH.WAIT.DELAY.09. 
OUT.IN.L.04.13. 



OUT02, 
SPARE 

OUT,HEALTH.WAIT.10, 
OUT.OUT.RESEr.14, 



OUT.H.03, 

OUT.SYNC.WA1T,07, 
SPARE. 

0UTIN.RESET.15. 



OUT.L.04. 
OUT.SYNC.08. 
OUT.OUT.L.04.12, 
0UT.C0MALT.16; 



*/ 



/**** VITAL INPUT BOARD 1 

BOARD: VLSL0T_J13 

ADJUSTABLE ENABLE: 1 
TYPE: IN16 
INPUT: 



□n the Noimal unit. NORMAL (bit 16) is energized from a constant source. It must ^ 
» tiigh In the Nonnal unit and low in the Stoidby unft. j 

VCOR. IN.02. IN.03. IN.04. 

SPARE, SPARE. SPARE, SPARE. 

SPARE, SPARE. SPARE. SPARE. 

SPARE, SPARE. SPARE, NORMAL; 

1^ 
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COMM 



i ' Two COM ports sre used so that the same software can be used in both unite. 



r^* BITS IN/OUT MASTER ***V 



LINK: HOT.MASTER 
ADJUSTABLE ENABLE: 1 
PROTOCOL MICROLOKMASTER 
ADJUSTABLE POINTPOINT: 1; 
ADJUSTABLE PORT: 1; 
ADJUSTABLE BAUD: 19200; 
ADJUSTABLE STOPBITS: 1; 
ADJUSTABLE PARITY: NONE; 
ADJUSTABLE KEY.ON.DELAY: 0; 
ADJUSTABLE KEY.OFF.DELAY: 12; 
ADJUSTABLE STALE.DATA.TIMEOUT: 3:SEC; 
ADJUSTABLE POLLING.INTERVAL: 60:MSEC; 
ADJUSTABLE MASTER.TIMEOUT: 100:MSEC; 
ADDRESS: 1 
ADJUSTABLE ENABLE: 1 

BITS OUT —V 

OUTPUT: 

SL.OUT.02. SLOUT.03, and SLOUT.04 represent ail output bits. If the MIcrolok 
had hvo 16 bit Vital Ouput Boards (and ail bite were used) then there would be 32 
bite listed. 

SLOUT.HEALTH and SLOUT.RESET are the only extra bits required for hot 
standby operation. 



SL.OUT.02. SL.OUT.H.03, SLOUT.L.04, 

SLOUT.HEALTH. SLOUT.RESET: 



IS 



/'•** BITS IN/OUT SLAVE ****/ 



LINK: HOT.SIAVE 
ADJUSTABLE ENABLE: 1 
PROTOCOL- MICROLOK.SLAVE 
ADJUSTABLE POINT.POINT: 0: 
ADJUSTABLE PORT: 2; 
ADJUSTABLE BAUD: 19200; 
ADJUSTABLE STOPBITS: 1; 
ADJUSTABLE PARITY: NONE; 
ADJUSTABLE KEY.ON.DELAY: 0; 
ADJUSTABLE KEY.OFF.DELAY: 12; 
ADJUSTABLE STALE.DATA.TIMEOUT: 3:SEC: 
ADDRESS: 1 

ADJUSTABLE ENABLE: 1 

/****BITSIN***»/ 

INPUT: 



SL.IN.02, SLIN.03, and SL.IN.04 represent afl output bits from the other unit. If the ' 
Microlok had two 16 bit Vital Ouput Boards (and all bits were used) then there 
would be 32 bits listed. 

SL.OUT.HEALTH and SLOUT.RESET are the only extra bits required for hot 
standby operatton. 



SLJN.02. SLIN.H.03. SL.IN.L.04. 

SL.IN.HEALTH. SLIN.RESET; 
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/**** VARIABLES'***/ 



BOOLEAN BITS 

SYS.RESET, GROUP.01 .RESET. GROUP.02.RESET. 6ROUP.03.V.RESET, 

OUT.RESET.02, OUT.H.RESET.03. OUT.LRESET.04. 

SYNC. SYNC.WAIT, STAND.ALONE.SYNC.DEUY. STAND7\L0NE.SYNC. 

OUT.02.SYNC. OUT.H.03.SYNC, OUT.L04.SYNC, 

HEALTH.WAIT.DELAY, HEALTH.WAIT. 

COAflALT, 

SLIN.H.03.D. SL.IN.L04.D: 

TIMER BITS 
r*» TIMERS****/ 



SLOUT.RESET is sent from the Normal unit to Q>e Standby unit when the Normal ^ 
determines there is a disagreement in bit states. It is delayed to allow the Standby 
time to synchronize. The exact setting for this bit is based on the needs of each j 
application, it should be as short as possibie without effecBng reliability. j 

I SLQUT.RESET: lSETg3:SEC j CLEAR = 0:SEC; I 



SYS.RESET is an internal bit that RESETS the Standby unit if it is out of ^ 
synchronization with the online Normal unit. It is slightly delayed to insure tiie unit j 
does not Wisely reset The exact setting for this bit is based on the needs of each 8 
appBcation. It should be as short as posable vwthout effecting reliability. | 

ISYS.RESET: |SET = 3:SEC I CLEAR = 0:SEC: I 



' The 6R0UP.RESET bits represent groups of individual bit reset commands. They 
are slightly delayed to insure the unit does not reset ^sely. GROUP.03.V.F^SET 
contains bits Piat are "more vitaT such as Switch Locking or Route Loclcing. 
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therefore they are given a shorter reset time. The exact setting for these bits is 
based on the needs of each application. They should be as short as posdble 
wittiout effecting reliability. 



GROUP.01 .RESET: 


SET = 3:SEC 


CLEAR = 0:SEC; 


GROUP.02.RESET: 


SET = 3:SEC 


CLEAR = 0:SEC; 


GROUP.03.V.RESEr: 


SET = 1:SEG 


CLEAR = 0:SEC: 



HEALTH.WAIT.DELAY is an internal bit that vrorks together with HEALTH.WAIT to 
allow the Standby unit to maintain its outputs while the Nomial is brought online. It 
is also utilized in the Normal unit but only for Restricted 1^. It fills in the gap 
between the time the NormaFs VCOR picks and communication between the pair is 
established. It is set for 20 seconds because it takes appro)dmateiy IS seconds for 
a unit to estabfeh serigj communicatfCT) after the VCOR is picked. 



HEALTH.WAIT.DELAY: 



iSET = 0:SEC 1 CLEAR = 20:SEC: | 



^ HEALTH.WAIT shortens the effect of HEALTH.WAIT.DELAY to 1 second after 
serial communication is est^iished. HEALTH.WAIT is used in all output bit assign 
statemente. 



I HEALTH.WAiT: 



|SET = 0:SEC I CLEAR= 1:SEC: i 



STAND.ALONE.SYNC.DELAY is a slow set bit that aHows the unit to stabilize 
I before VCOR is referenced for SYNC. 



I STAND.ALONE.SYNC.DELAY: 



I SET a 1:SEC ) CLEAR = 0:SEC; 
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i ^'1?" ^ «' "hat allows sertal communioaaon to stabW 






CONSTANTS BOOLEAN 

ONE = 1; 
ZERO =0: 



CONFIGURATION 
SYSTEM 



ADJUSTABLE DEBUG_PORT_ADDRESS- 
^S*!nf DEBUG_PORT.BAUDRATE: 
ADJUSTABLE LOGIC_TIMEOUT: 
ADJUSTABLE DELAY_RESET: 



1: 

9600; 

2:SEC: 

3:SEC: 



*/ 
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r*** LOGIC *^/ 



LOGIC BEGIN 



/**** MICROLOK SYSTEM CIRCUIT ****/ 



*ssa» ONE 


TO 


CPS.ENABLE; 


ASSGH ONE 


TO 


STAND^ONE.SYNC.DEUY; 


AS9GN ONE 


TO 


SLOUT.HEALTH; 


SYS.RESET 


TO 


RESET: 



/♦** RESET BITS ***/ 



SYS.RESET is a slow set bit that only functions in the Standby unit. 

The bits in the assign statement function as follows; 

VCOR insures that the unit vinll only RESET if the Nonnal unit is online. 

SUN.RESET comes from Ihe Nom>al unit and forces the Standby unit to RESET. 

--SUN.HEALTH insures the Standby unit will RESET itself if serial communication 

is lost between the units. 

--HEALTH.WAIT insures the Standby unit will not RESET itself before serial 
communication Is established when the Normal unit is coming online. 
GROUP.01, RESET. GROUP.02.RESET, and GROUP.03.V.RESET are groups of 
individual reset bits. See below. 



{-NORMAL* VCOR)* 
{SLIN.RESET + 






«aoi ({-SL.IN.HEALTH * -HEALTH.WAIT) + 


™ SYS.RESET; 


(6ROUP.01 .RESET + 6ROUP.02.RESET + 


GROUP.03.V.RESET))) 





SL.OUT.RESET is a slow set bit that is sent from the Normal unit to the Standby " 
when any output bit is out of sync. It is primarily controlled by the GROUP.RESET 
bits, however, the SYNC bit fe also required so that the Normal unit cannot reset 
the Standby unit if the Normal is being powered up and cannot achieve 
synchronization with the Standby. 



^ (NORMAL* SYNC)* 

(GROUP.01 .RESET -t- GROUP.OZRESET + GROUP.03.V.RESET) 



TO SL.OUT.RESET; 
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GROUP.01 .RESET, 6ROUP.02.RESET. and GROUP.03.V.RESET are groups of ^ 
individuat reset bits (though only one RESET bit Is assigned to each for testing). 
The Individual reset bits are grouped together to simplify the SYS.RESET equation 
and to allow for a longer time delay for non-synchronous situafions which may be 
caused by serial communication delays. Three groups are used for testing but the 
maximum number of groups is unlimited. Multiple groups should be used to limit 
the number of bits so that continuous changes of bit states vwll not by 
mi^nterpreted as a non-synchronous condition. 

GROUP.03.V.RESET represents groups of bits that are "more vitel" such as Switch 
Lod<s and Route Locks. This group is gh^ the absolutely shortest time delay 
possible to maintain reliability. 



«SBH OUT.RESET.02 


TO GROUP.01 .RESET; 


Asaa. OUT.H.RESET.03 


TO GROUP.02.RESET; 


«aGH OUT.L.RESET.04 


TO GROUP.03.V.RESET; 



/*** SYNCHRONIZATION BITS **V 



SYNC suppresses all outputs of the unit being brought online until they are verified 
to be synchronous with the unit cunenlly in control or the other unif s VCOR is 
down. Once It Is set it is stack high until the unit Is powered down. 



_ SYNC + STAND.ALONE.SYNC + (OUT.02.SYNC * ^^^.^ 
OUT.H,03,SYNC * OUT,L04.SYNC) ^ ^YNC; 



SYNC. WAIT is a slow set bit that suppresses verification of 

bits in the unit being brought online untfl it is powered up 

and both the unit and the serial communicatian link are stable. Once it is set it is 

stuck high until the unit is powered down. 



SYNaWAIT + (VCOR*SUN,HEALTH) to SYNC.WAIT; 



STAND.ALONESYNC is an intemal bit that will set the SYNC bit one second after 
the unit is powered up if the other unit's VCOR is down. 



zi 



/>ss.0N -VCOR*STAND.ALONE.SYNC.DELAY to STAND J^LONESYNC; 
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r** HEALTH BITS ***/ 



*• HEALTH.WAn- and HEALTH.WAIT.DELAY allow Oie Standby unit to maintain Its ' 
outputs between the time that the Nomial VCOR picks and communication is 
establfehed between the units. HEALTH.WAIT.DELAY is a slow clear bit that sets 
when the VCOR pnks in the unit coming online. HEALTH.WAIT.DELAY sets 
HEALTH.WArr which remains high until either HEALTH.WArr.DELAY expires or 
serial communication is established. This is necessary to insure that as soon as 
serial communication Is established Ihe HEALTH bit Is not able to ovenide any 



AsswH VCOR * -SLIN-HEALTH * -HEALTH.WAIT.DELAY 


TO HEALTH.WAIT.DELAY; 


ASB. HEALTH.WAIT.DELAY*~SLIN.HEALTH 


ro HEALTH.WAIT: 


/*•* OUTPUT BITS *"/ 




r** UNRESTRICTED BFT ***/ 





** The tenn IN.02 is used for testing purposes. In reality it would be replaced by a 
logic equation. In the terra SL.OUT.02. SL stands for Serial Link, and OUT.02 
represents the resulting bit of the satisfied assign stetemenL SLOUT.02 Is 
immediately sent out serially to the other unit. 



«swi IN.02 TD SL.OUT.02; 



OUT.02.SYNC is primarily satisfied by the SL.OUT.02 bit If the other unit Is online 
(VCOR is picked, or in the process of booting up) it is referenced to Insure that the 
bit is in ihe same state. Once it is set It is stuck high until flie unit is powered down. 
If the other unit is offline (VCOR down) this bit is bypassed and the SYNC bit is 
satisfied with STANDiU.ONE.SYNC. 



ASSMN 



OUT.02.SYNC + 

(((SL.OUT.02 -8^1^.02)+ OUT 02 SYNC- 
(~SL.OUT.02*-SLIN.02)) OUT.02.SYNC. 
*VCOR*SYNC.WAm 
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OUT.02 is the bit that sets the output high on the Vital Output Board. It is primailty 
satisfied by the SLOUT.02 bit. In the Normal unit the only other lequirement is that 
the SYNC bit must be set (which it will be unless the Nomial is in the process of 
coming online). The Stendby unit requires a serid communlcatton HEALTH bit or 
HEALTH.WAIT. HEALTH.WAIT is used Iceep the Standby unit's outputs set 
between the time the Nonnal unit's VCOR picks and serial conununication is 
established when the Nonnal unit is being brought onHne. Both Oie Normal and 
Standby units will immediately set 9ie bit if SL.OUT.02 is Mgh and the other unit is 
offline (VCOR down). 



SLOUT.02 • (SYNC * (NORMAL* ZZZT 
(-NORMAL * (SLIN.HEALTH » HEALTH.WAIT)n + -VCOR) ^ OUT.02; 



*■ OUT.RESET.02 can only be set h^h in the Normal unit Its purpose is to cause the ' 
Standby unit to reset if there is a disagreement in the bit state between the units. 



NORMAL' 




((SL.OUT.02 •-SL.IN.02) + (-SL.OUT.02 * SLIN.02)) 


TO OUT.RESET.02: | 



/*** HALF RESTRICTED BIT ***/ 



*■ The logic statement for OUT.H.03 functions Ihe same as OUT.02 above, with one 
exception. In the statement for OUT.H.03 the generic serial communicafion 
HEALTH bit is replaced with the wrresponding bit (SL.IN.H.03.D) from the Nonnal 
unit This suppresses the output from the Standby unit until it has been verified that 
the Nomial has also satisfied Vne ass^n statement SLiN.H.03.D is a slow set bit 
used for testing to simulate serial communication delays. 



ASOGN IN,03 


» SL.OUT.H.03; 


OUT.H.03.SYNC + 
^ (((SL.OUT.H.03 * SL.IN.H.03) + 
(-SL.OUT.H.03 * ~SLIN.H.03)) 
*VCOR»SYNC.WAm 


TO OUT.H.03.SYNC; 


^ SL.OUT.H.03 • (SYNC * (NORMAL + 

(-NORMAL • (SLIN.H.03.D + HEALTH.WAm^> + -VCOR^ 


TO OUT.H.03; 


NORMAL* 

((SL.OUT.H.03 •-SLIN.H.03) + 
(-SLOUT.H.03 * SL.IN.H.03)) 


» OUT.H.RESET.03; 
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RESTRICTED BIT ***/ 



ThetogicstetementslbrOUT.L04arethesameasOUr.H.03above wilhone ^ 
Normal or Standby. Both units must have SL.OUT.L04, be in SYNC aS receh/e 

Soi^oM ^ verified that the other unit has also satisfied L assign 
otheS ^"^^^y "^"^ "'e output if it loses the verification fiorn the 



^aw 11^.04 


TO SLOUT.L04; 


OUT.L.04.SYNC+ ' " 

(((SLOUT.L04 * SL.IN.L.04) + 
(~SLOUT.L.04 * -SL.IN.L04)) 
*VCOR*SYNC.WAIT) 


« OUT.L.04.SYNC; 


SLOUT.L.04*(SYlyiC* 

(SLIN.L04.D + HEALTH.WAIT) + 
-VCOR) 


™ OUT.L04; 


NORMAL* 

*^ ((SLOUT.L04 * ~SLIN.L.04) + 
(~SL.OUT.L04 • SLIN.L.04W 


TO OUT.LRESET.04; 



/*** COMMUNICATION ALERT 
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A*** FOR TEST PURPOSES ONLY ***/ 
/**• COM DELAY SIMULATORS ***/ 



1 ' SL.IN.H.03.D and SL.IN.L.04.0 are slow set bits that simulate tlie pos 
1 the serial communication between the Normal and Standby units. 


sible delay in ^ | 






«siGH SL.IN.H.03 10 


SLtN.H.03.D: 


Asaoi SLIN.L04 m 


SLIN.L04.D: 


/*** BIT MONITORS ***/ 




P The foflowing bits produce Indications on the Vital Output Board for te 
I purposes. 


sting ■* 





I^SSIGN 


SYNC.WAIT 


n 


OUT.SYNC.WAIT.07; 


AS9CN 


SYNC 


TO 


OUT.SYNC.08; 




HEALTH.WAIT.DELAY 


TO 


OUT.HEALTH.WAIT.DELAY.09; 


ASSGN 


HEALTH.WAIT 


n> 


OUT.HEALTH.WAIT.10: 


ASSICN 


SLOUT.L04 


TO 


OUT.OUT.L.04.12; 


ASS6N 


SLIN.L04 


TO 


OUT.IN.L.04.13; 


ASSIGN 


SLOUT.RESET 


TO 


0UT.0UT.IRESET.14: 


ASSIGN 


SL.iN.RESET 


ID 


0UT.IN.RESET.15; 


ASSIGM 


COIWALT 


TO 


0UT.C0MALT.16: 



END LOGIC 
END PROGRAM 
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